How do I use CVS without typing my password each time?Christopher Brooks, 9 Aug 2010Last updated: 12 Jan 2011

To use CVS to update files without typing your password, you will need first need a CVS account, see
How do I get a CVS account? and request an
individual account. In the comments section
be sure to state that you think you have a shared
account and that you would like your account
recreated as an individual account so
that you do not have to type your password.

SSH (and therefore CVS) can use RSA and Rhosts style authentication to
make it so that you can login without typing your password. Using Rhosts authentication alone is insecure,
and most CVS servers (this one included) disallow it.
RSA can be used with or without Rhosts authentication.
Using RSA alone, any user with the appropriate RSA
key and passphrase can access the repository.
Using RSA and Rhosts restricts repository access to only computers listed in Rhosts that also have the appropriate RSA key.

Note that for RSA with Rhosts authentication
to work, each host that
you are logging in from needs to be listed in two files.
If you are connecting from multiple hosts via dynamic
DSL, then each time you connect, you are likely to
have a different address, which makes managing
the file difficult. There are several possible
solutions, one is to try to use wildcards
in ~/.ssh/known_hosts and ~/.shosts,
the other is to run a script that updates these
files automatically. Both solutions are complex
and have security issues, so we do not cover them here.
It is much simpler to use RSA authentication alone
in this case.

RSA authentication

Once your account has been set up, do the following:

Create ~/.ssh/id_rsa.pub on the
local machine:
Unix, including probably Mac OS X:
If ~/.ssh/id_rsa.pub does not exist,
on your local machine,
then create it by running ssh-keygen -t rsaWhen prompted for a passphrase, hit return.
If you type in a passphrase here, you will be prompted
for that passphrase each time.
Running ssh-keygen will generate the files
~/.ssh/id_rsa and
~/.ssh/id_rsa.pub, which
are your private and public encryption keys respectively.
Windows:

where yoursourcelogin is the your CVS login
on source.eecs.berkeley.edu (which may be different
from your website login)

From the local machine, test ssh with:

ssh yoursourcelogin@source.eecs.berkeley.edu cvs

to check the set up.

Below is a sample run

cxh@DOPLAP03 ~
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/cygdrive/c/cxh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /cygdrive/c/cxh/.ssh/id_rsa.
Your public key has been saved in /cygdrive/c/cxh/.ssh/id_rsa.pub.
The key fingerprint is:
03:2a:8a:3b:96:93:6b:74:86:c8:ea:30:e2:c9:11:68 cxh@DOPLAP03
cxh@DOPLAP03 ~
$ chmod 0644 ~/.ssh/id_rsa.pub
cxh@DOPLAP03 ~
$ scp ~/.ssh/id_rsa.pub cxh@source.eecs.berkeley.edu:~/.ssh/authorized_keys2
The authenticity of host 'source (128.32.171.225)' can't be established.
RSA key fingerprint is 74:57:84:9b:ca:b8:44:1d:fa:f0:e3:27:29:ac:19:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'source,128.32.171.225' (RSA) to the list of know
n hosts.
cxh@source's password:
id_rsa.pub 100% |*****************************| 222 00:00
cxh@DOPLAP03 ~
$ ssh cxh@source.eecs.berkeley.edu cvs
Usage: cvs [cvs-options] command [command-options-and-arguments]
where cvs-options are -q, -n, etc.
(specify --help-options for a list of options)
where command is add, admin, etc.
(specify --help-commands for a list of commands
or --help-synonyms for a list of command synonyms)
where command-options-and-arguments depend on the specific command
(specify -H followed by a command name for command-specific help)
Specify --help to receive this message
The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
the CVS home page at http://www.cvshome.org/ or
Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html
cxh@DOPLAP03 ~
$

The above steps should not prompt you for your password each time you run a cvs command. There are two ways to enable yourself to not type a passphrase each time.

The first is to use only RSA authentication as described above, and give an empty passphrase.
Note that this means that if someone steals your laptop and breaks into your account, they will be able to use the ssh command to get on to your Unix account.
RSA authentication works with ssh1 and ss2.

The second way is to set up Rhosts RSA authentication,
which currently only works with ssh1.
In this case, ssh will authenticate your computer instead of you. It is somewhat safer for your computer to log in without a password
because the CVS server can determine where your computer
is located. Your computer can only login without
a password if it also has the correct name and IP.
This method is shown below.

Rhosts RSA authentication

These instructions apply to ssh1 clients, like
the version of ssh that is currently shipped with cvsssh.
For ssh2, see above.

Setup ~/.shosts on gigasource:
Create a temporary file on your local machine that
contains the name of the host you will be logging in
from.

echo "myhost.eecs.berkeley.edu" > /tmp/shosts

Change the permissions of the file on you local
machine so that it is only readable by you. Note
that you can't run chmod on the remote
machine under rksh, so you need to fix the permissions
before you copy the file over.

On your Windows machine, check to see if the file
c:sshetcssh_host_key.pub exists:

If it does not exist, generate host keys on your Unix machine
and copy them over. Note that the ssh-keygen command
that is shipped with the Windows CVS SSH package will
not work, you should run ssh-keygen
on a Unix host. Note that the -N below indicates
that your computer will not have a passphrase.

cd /tmp
ssh-keygen -b 1024 -f ssh_host_key -N ''

On Windows, you can copy the files with scp. If you use scp here,
note that scp does not understand the Windows c: naming convention,
it think c: is a machine named 'c'. To copy the file under bash
on Windows:

If c:/etc/ssh/ssh_host_key.pub exists on your Windows machine,
copy it to a temporary file on the Unix machine:

cd c:/ssh/etc
scp ssh_host_key.pub yourunixmachine:/tmp

Set up ~/.ssh/known_hosts on gigasource:
On gigasource, ~/.ssh/known_hosts lists hosts
that are allowed to connect without a password. Since
we can't edit files on gigasource from the restricted shell,
we create the file on the local machine and copy it
over to gigascale.
Note that if you are connecting from multiple machines,
you will need to add a line to this file for each
machine you are connecting from. The easiest way
to do this is to use scp to transfer the file
to a local machine, edit the file locally and then
scp it back to gigasource.

Grab the contents of the copy of ssh_host_key.pub that
you either generated or copied over, and create a temporary
file

Add the fully qualified domain name of the windows machine
to the beginning of the line.
You should end up with something like